Handling better supported channel binding types for SSL implementations

From: Michael Paquier <michael(dot)paquier(at)gmail(dot)com>
To: Postgres hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Handling better supported channel binding types for SSL implementations
Date: 2018-01-22 07:29:36
Message-ID: 20180122072936.GB1772@paquier.xyz
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Hi all,

Per the recent discussions around support of new SSL implementations for
Postgres, it is becoming rather clear to me that the backend needs to be
a bit smarter with the way it needs to decide if it should publish or
not SCRAM-SHA-256-PLUS in the list that the clients can use to choose a
SASL mechanism for authentication.

This has been discussed here in the MacOS SSL implementation:
https://www.postgresql.org/message-id/20180122014637.GE22690%40paquier.xyz
As well as here for GnuTLS:
https://www.postgresql.org/message-id/CAB7nPqRJteyoyyj8E__v1D1SMoj8jpv6ZPyHuc7Md45%2BED-uMA%40mail.gmail.com

Attached is a patch which is an attempt to make this choice cleaner for
new SSL implementations. As we are (rightly!) calling the APIs to fetch
the channel binding data only when necessary, I think that we need an
extra API for SSL implementations to let the server decide if channel
binding mechanisms should be published or not. There could be multiple
possibilities, like making this API return only a boolean flag. However
I have made a more extensible choice by having each SSL implementation
build a list of supported channel bindings. This matters for each
implementation as:
- GnuTLS only supports tls-unique.
- OpenSSL supports both tls-unique and tls-server-end-point.
- MacOS would support none.
However there is as well the argument that this list's contents are not
directly used now, and based on what I saw from the MacOS SSL and GnuTLS
patches that would not be the case after either.

I am adding that to the next CF for consideration.

Thoughts?
--
Michael

Attachment Content-Type Size
betls-channel-binding-list-v1.patch text/x-diff 2.5 KB

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Amit Khandekar 2018-01-22 07:44:51 Re: [HACKERS] UPDATE of partition key
Previous Message Pavel Stehule 2018-01-22 06:43:27 Re: pgbench - add \if support